agenttesla | 6f23c4b060e644dc6a6f1cd7ac58e44a4f3e203ff6129b6109cb0076d969aedb

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20231130-en
resource tags

arch:x64arch:x86image:win7-20231130-enlocale:en-usos:windows7-x64system
submitted
05-12-2023 02:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f23c4b060e644dc6a6f1cd7ac58e44a4f3e203ff6129b6109cb0076d969aedb.exe
Size

946KB
MD5

640c8c973410694aa5effd24c3286077
SHA1

af73830e92e7945c1d90b37a5572f4ab22b29180
SHA256

6f23c4b060e644dc6a6f1cd7ac58e44a4f3e203ff6129b6109cb0076d969aedb
SHA512

e26e33326462acce623d9f0c5a4ace130b72e4c599f90d5f76a7477a105718eab58cd5442c603ff56f5a62ecd00c6e06ec8d5e3d3ed3efd0694d9817c67cffcf
SSDEEP

24576:/DkUNi1EvGhvqLJcZWgTOfVjUNQt6KyxGg5OpkLvZrB5ElRRN:/DkUrO1IAWgiVW8Ev5PrwL7

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.impot-expt.com
Port:
587
Username:
[email protected]
Password:
MymoneyRR$$$123
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Executes dropped EXE 3 IoCs

Processes:

PO.exePO.exePO.exe

pid process

1876 PO.exe
2924 PO.exe
3048 PO.exe

pid	process
1876	PO.exe
2924	PO.exe
3048	PO.exe

Loads dropped DLL 6 IoCs

Processes:

6f23c4b060e644dc6a6f1cd7ac58e44a4f3e203ff6129b6109cb0076d969aedb.exePO.exe

pid	process
2400	6f23c4b060e644dc6a6f1cd7ac58e44a4f3e203ff6129b6109cb0076d969aedb.exe
2400	6f23c4b060e644dc6a6f1cd7ac58e44a4f3e203ff6129b6109cb0076d969aedb.exe
2400	6f23c4b060e644dc6a6f1cd7ac58e44a4f3e203ff6129b6109cb0076d969aedb.exe
2400	6f23c4b060e644dc6a6f1cd7ac58e44a4f3e203ff6129b6109cb0076d969aedb.exe
1876	PO.exe
1876	PO.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

PO.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PO.exe
Key opened	\REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PO.exe
Key opened	\REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PO.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

PO.exe

description pid process target process

PID 1876 set thread context of 3048 1876 PO.exe PO.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2464 schtasks.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

PO.exePO.exepowershell.exe

pid process

1876 PO.exe
1876 PO.exe
3048 PO.exe
3048 PO.exe
2748 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

PO.exePO.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1876 PO.exe
Token: SeDebugPrivilege 3048 PO.exe
Token: SeDebugPrivilege 2748 powershell.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

2836 DllHost.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

PO.exe

pid process

3048 PO.exe

flow	ioc
2	api.ipify.org

description	pid	process	target process
PID 1876 set thread context of 3048	1876	PO.exe	PO.exe

pid	process
2464	schtasks.exe

pid	process
1876	PO.exe
1876	PO.exe
3048	PO.exe
3048	PO.exe
2748	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1876	PO.exe
Token: SeDebugPrivilege	3048	PO.exe
Token: SeDebugPrivilege	2748	powershell.exe

pid	process
2836	DllHost.exe

pid	process
3048	PO.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

6f23c4b060e644dc6a6f1cd7ac58e44a4f3e203ff6129b6109cb0076d969aedb.exePO.exe

description	pid	process	target process
PID 2400 wrote to memory of 1876	2400	6f23c4b060e644dc6a6f1cd7ac58e44a4f3e203ff6129b6109cb0076d969aedb.exe	PO.exe
PID 2400 wrote to memory of 1876	2400	6f23c4b060e644dc6a6f1cd7ac58e44a4f3e203ff6129b6109cb0076d969aedb.exe	PO.exe
PID 2400 wrote to memory of 1876	2400	6f23c4b060e644dc6a6f1cd7ac58e44a4f3e203ff6129b6109cb0076d969aedb.exe	PO.exe
PID 2400 wrote to memory of 1876	2400	6f23c4b060e644dc6a6f1cd7ac58e44a4f3e203ff6129b6109cb0076d969aedb.exe	PO.exe
PID 1876 wrote to memory of 2748	1876	PO.exe	powershell.exe
PID 1876 wrote to memory of 2748	1876	PO.exe	powershell.exe
PID 1876 wrote to memory of 2748	1876	PO.exe	powershell.exe
PID 1876 wrote to memory of 2748	1876	PO.exe	powershell.exe
PID 1876 wrote to memory of 2464	1876	PO.exe	schtasks.exe
PID 1876 wrote to memory of 2464	1876	PO.exe	schtasks.exe
PID 1876 wrote to memory of 2464	1876	PO.exe	schtasks.exe
PID 1876 wrote to memory of 2464	1876	PO.exe	schtasks.exe
PID 1876 wrote to memory of 2924	1876	PO.exe	PO.exe
PID 1876 wrote to memory of 2924	1876	PO.exe	PO.exe
PID 1876 wrote to memory of 2924	1876	PO.exe	PO.exe
PID 1876 wrote to memory of 2924	1876	PO.exe	PO.exe
PID 1876 wrote to memory of 3048	1876	PO.exe	PO.exe
PID 1876 wrote to memory of 3048	1876	PO.exe	PO.exe
PID 1876 wrote to memory of 3048	1876	PO.exe	PO.exe
PID 1876 wrote to memory of 3048	1876	PO.exe	PO.exe
PID 1876 wrote to memory of 3048	1876	PO.exe	PO.exe
PID 1876 wrote to memory of 3048	1876	PO.exe	PO.exe
PID 1876 wrote to memory of 3048	1876	PO.exe	PO.exe
PID 1876 wrote to memory of 3048	1876	PO.exe	PO.exe
PID 1876 wrote to memory of 3048	1876	PO.exe	PO.exe

outlook_office_path 1 IoCs

Processes:

PO.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PO.exe

outlook_win_path 1 IoCs

Processes:

PO.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PO.exe

C:\Users\Admin\AppData\Local\Temp\6f23c4b060e644dc6a6f1cd7ac58e44a4f3e203ff6129b6109cb0076d969aedb.exe
"C:\Users\Admin\AppData\Local\Temp\6f23c4b060e644dc6a6f1cd7ac58e44a4f3e203ff6129b6109cb0076d969aedb.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2400

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1876

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ncfbIt.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2748

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ncfbIt" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB700.tmp"
3⤵
- Creates scheduled task(s)
PID:2464

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
3⤵
- Executes dropped EXE
PID:2924

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:3048

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Filesize
863KB

MD5
06b1815afd9df7aa22c3fc97792d781d

SHA1
a3462fdf332deffbb7044696b5ff14f64e9a3020

SHA256
733f7b902ddfefed89268afac9f1a52d2727051a815d4cd5b94225178bf62df0

SHA512
5aeb03268645e000aec2c5a58055670c2ed95f6456ddc2a0d1b1ded7edc03e08b9879437209de1e4e2e011bb6fd64ebbcac7278239bdc548ca63130222b29f8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Filesize
863KB

MD5
06b1815afd9df7aa22c3fc97792d781d

SHA1
a3462fdf332deffbb7044696b5ff14f64e9a3020

SHA256
733f7b902ddfefed89268afac9f1a52d2727051a815d4cd5b94225178bf62df0

SHA512
5aeb03268645e000aec2c5a58055670c2ed95f6456ddc2a0d1b1ded7edc03e08b9879437209de1e4e2e011bb6fd64ebbcac7278239bdc548ca63130222b29f8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Filesize
863KB

MD5
06b1815afd9df7aa22c3fc97792d781d

SHA1
a3462fdf332deffbb7044696b5ff14f64e9a3020

SHA256
733f7b902ddfefed89268afac9f1a52d2727051a815d4cd5b94225178bf62df0

SHA512
5aeb03268645e000aec2c5a58055670c2ed95f6456ddc2a0d1b1ded7edc03e08b9879437209de1e4e2e011bb6fd64ebbcac7278239bdc548ca63130222b29f8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Filesize
863KB

MD5
06b1815afd9df7aa22c3fc97792d781d

SHA1
a3462fdf332deffbb7044696b5ff14f64e9a3020

SHA256
733f7b902ddfefed89268afac9f1a52d2727051a815d4cd5b94225178bf62df0

SHA512
5aeb03268645e000aec2c5a58055670c2ed95f6456ddc2a0d1b1ded7edc03e08b9879437209de1e4e2e011bb6fd64ebbcac7278239bdc548ca63130222b29f8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Filesize
863KB

MD5
06b1815afd9df7aa22c3fc97792d781d

SHA1
a3462fdf332deffbb7044696b5ff14f64e9a3020

SHA256
733f7b902ddfefed89268afac9f1a52d2727051a815d4cd5b94225178bf62df0

SHA512
5aeb03268645e000aec2c5a58055670c2ed95f6456ddc2a0d1b1ded7edc03e08b9879437209de1e4e2e011bb6fd64ebbcac7278239bdc548ca63130222b29f8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.jpg

Filesize
48KB

MD5
e83ccb51ee74efd2a221be293d23c69a

SHA1
4365ca564f7cdd7337cf0f83ac5fd64317fb4c32

SHA256
da931852a19a707d01c3edf138622b8601056c42525f8ac40cb48af43a7410cc

SHA512
0252e629fbdafdb66ff63ef76d18f25d1ca46ac3eff019f012361db45ebd34d1a7a9ad35f7a2fc5830676c771997633f3abf1dc3224bd8f6bd55456b0a554a46

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB700.tmp

Filesize
1KB

MD5
81fdc1aa7eb42d40f5d7fd2ef74b7129

SHA1
ff878de2ac3f26c8ac819eb2a0a4da0295550411

SHA256
99c7d301b124451357e02023b13ae6a20aa8f0b6dee34f6e2eff5eef10a8a8d7

SHA512
eae2d943b092157304b723b89b0ebcbd3c14c12ae8d08859f1b11ae6fa38d08f10bb3f4193369cdbbe428c48244c9bcddf00fa62fa495c793ffecf16a77c8ddd

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Filesize
863KB

MD5
06b1815afd9df7aa22c3fc97792d781d

SHA1
a3462fdf332deffbb7044696b5ff14f64e9a3020

SHA256
733f7b902ddfefed89268afac9f1a52d2727051a815d4cd5b94225178bf62df0

SHA512
5aeb03268645e000aec2c5a58055670c2ed95f6456ddc2a0d1b1ded7edc03e08b9879437209de1e4e2e011bb6fd64ebbcac7278239bdc548ca63130222b29f8f

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Filesize
863KB

MD5
06b1815afd9df7aa22c3fc97792d781d

SHA1
a3462fdf332deffbb7044696b5ff14f64e9a3020

SHA256
733f7b902ddfefed89268afac9f1a52d2727051a815d4cd5b94225178bf62df0

SHA512
5aeb03268645e000aec2c5a58055670c2ed95f6456ddc2a0d1b1ded7edc03e08b9879437209de1e4e2e011bb6fd64ebbcac7278239bdc548ca63130222b29f8f

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Filesize
863KB

MD5
06b1815afd9df7aa22c3fc97792d781d

SHA1
a3462fdf332deffbb7044696b5ff14f64e9a3020

SHA256
733f7b902ddfefed89268afac9f1a52d2727051a815d4cd5b94225178bf62df0

SHA512
5aeb03268645e000aec2c5a58055670c2ed95f6456ddc2a0d1b1ded7edc03e08b9879437209de1e4e2e011bb6fd64ebbcac7278239bdc548ca63130222b29f8f

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Filesize
863KB

MD5
06b1815afd9df7aa22c3fc97792d781d

SHA1
a3462fdf332deffbb7044696b5ff14f64e9a3020

SHA256
733f7b902ddfefed89268afac9f1a52d2727051a815d4cd5b94225178bf62df0

SHA512
5aeb03268645e000aec2c5a58055670c2ed95f6456ddc2a0d1b1ded7edc03e08b9879437209de1e4e2e011bb6fd64ebbcac7278239bdc548ca63130222b29f8f

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Filesize
863KB

MD5
06b1815afd9df7aa22c3fc97792d781d

SHA1
a3462fdf332deffbb7044696b5ff14f64e9a3020

SHA256
733f7b902ddfefed89268afac9f1a52d2727051a815d4cd5b94225178bf62df0

SHA512
5aeb03268645e000aec2c5a58055670c2ed95f6456ddc2a0d1b1ded7edc03e08b9879437209de1e4e2e011bb6fd64ebbcac7278239bdc548ca63130222b29f8f

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Filesize
863KB

MD5
06b1815afd9df7aa22c3fc97792d781d

SHA1
a3462fdf332deffbb7044696b5ff14f64e9a3020

SHA256
733f7b902ddfefed89268afac9f1a52d2727051a815d4cd5b94225178bf62df0

SHA512
5aeb03268645e000aec2c5a58055670c2ed95f6456ddc2a0d1b1ded7edc03e08b9879437209de1e4e2e011bb6fd64ebbcac7278239bdc548ca63130222b29f8f

Download Submit
memory/1876-24-0x0000000002140000-0x0000000002180000-memory.dmp

Filesize
256KB

Download
memory/1876-25-0x0000000000710000-0x000000000072C000-memory.dmp

Filesize
112KB

Download
memory/1876-23-0x00000000739B0000-0x000000007409E000-memory.dmp

Filesize
6.9MB

Download
memory/1876-27-0x00000000739B0000-0x000000007409E000-memory.dmp

Filesize
6.9MB

Download
memory/1876-28-0x0000000002140000-0x0000000002180000-memory.dmp

Filesize
256KB

Download
memory/1876-29-0x00000000009E0000-0x00000000009EE000-memory.dmp

Filesize
56KB

Download
memory/1876-30-0x0000000005FB0000-0x000000000602C000-memory.dmp

Filesize
496KB

Download
memory/1876-53-0x00000000739B0000-0x000000007409E000-memory.dmp

Filesize
6.9MB

Download
memory/1876-21-0x0000000000190000-0x000000000026E000-memory.dmp

Filesize
888KB

Download
memory/2400-4-0x00000000007A0000-0x00000000007A2000-memory.dmp

Filesize
8KB

Download
memory/2748-54-0x000000006E840000-0x000000006EDEB000-memory.dmp

Filesize
5.7MB

Download
memory/2748-60-0x000000006E840000-0x000000006EDEB000-memory.dmp

Filesize
5.7MB

Download
memory/2748-58-0x0000000002AA0000-0x0000000002AE0000-memory.dmp

Filesize
256KB

Download
memory/2748-59-0x0000000002AA0000-0x0000000002AE0000-memory.dmp

Filesize
256KB

Download
memory/2748-55-0x000000006E840000-0x000000006EDEB000-memory.dmp

Filesize
5.7MB

Download
memory/2836-6-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2836-26-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2836-5-0x0000000000100000-0x0000000000102000-memory.dmp

Filesize
8KB

Download
memory/3048-50-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3048-41-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3048-52-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3048-47-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3048-45-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3048-56-0x0000000004B40000-0x0000000004B80000-memory.dmp

Filesize
256KB

Download
memory/3048-57-0x00000000739B0000-0x000000007409E000-memory.dmp

Filesize
6.9MB

Download
memory/3048-44-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3048-43-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3048-42-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3048-61-0x0000000004B40000-0x0000000004B80000-memory.dmp

Filesize
256KB

Download
memory/3048-62-0x00000000739B0000-0x000000007409E000-memory.dmp

Filesize
6.9MB

Download